Introduction
Note: This is not supported by Microsoft and your mileage may vary. That said, this speeds up compliance and more importantly increases security as the device is already encrypted by the time the user logs on (in Part 2).
Windows Autopilot preprovisioning (WhiteGlove) is the ability to pre-stage content and policies to devices while it’s been installed in the factory. We had a challenge to speed up the overall compliance of Windows Autopilot devices and the obvious solution was to stage as much content as we could during pre-provisioning (WhiteGlove) but to also enable BitLocker encryption during that process, the only problem is that Microsoft don’t officially support BitLocker encryption during the WhiteGlove scenario as the recovery key information is only uploaded when a user logs in.
In our initial testing, encryption itself wouldn’t even start until the user logged in. Not so much of a problem for small content on the hard disc but what if you have hundreds of Gigabytes of data to encrypt which could potentially take hours to encrypt after the user has logged on. As BitLocker encryption is a common Compliance policy setting, this needed to be addressed. The challenge was to do the heavy lifting (pre-provisioning and encryption) during the WhiteGlove process and to only upload the key to Intune once the user actually enrolled the device. That need brought about this solution which is in 3 parts.
- Encrypting devices during Windows Autopilot provisioning (WhiteGlove) – Part 1 <- you are here
- Upload recovery key to Intune after the user has signed in and completed WHFB setup – Part 2
- Move devices to WhiteGlove_Completed azure ad group targeted with BitLocker policy – Part 3
Step 1. Create Azure AD group
In Microsoft Intune, create a dynamic device group called WhiteGlove Computers with a query for a WhiteGlove Group Tag. This group will dynamically fill with computers that have the correct Group Tag assigned to them.
Below is the query used:
(device.devicePhysicalIds -any (_ -eq "[OrderID]:WhiteGlove"))
Step 2. Exclude BitLocker configuration profiles from this group
Locate any existing BitLocker configuration profiles in your tenant and exclude then from this group otherwise they will cause the solution to fail.
Step 3. Allow Pre-provisioned deployment
Next, locate your Windows Autopilot Deployment Profiles and enable the WhiteGlove ability by turning on the Allow Pre-provisioned deployment setting. Deploy the profile to the group created in Step 1. This profile must also enable a User Account Type of Local Admin. Don’t panic, we’ll be removing this local admin ability later on in the solution before the end user can cause trouble.
In the example below you can see a Windows Autopilot deployment profile called Intune: Local admin
Step 4. Exclude standard user deployment profiles
If you have any additional Deployment Profiles for Standard Users, make sure to exclude this group from those profiles otherwise they won’t get the right settings needed for the second part of this solution.
Step 5. Configure a WhiteGlove ESP
Configure at least one Enrollment Status Page (ESP) targeted to your WhiteGlove Computers Azure AD group
Step 6. Add a Win32 App
Next, using the latest version of the IntuneWinappUtil.exe app, create a Win32 app called Enable Bitlocker during Windows Autopilot WhiteGlove. This app will enable Bitlocker during WhiteGlove at the factory. The app is in the attached 7 ZIP file, use 7-Zip to uncompress.
WhiteGlove – Enable BitLocker During WhiteGlove preprovisioning.7z
Configure the app settings as follows:
Name: Enable Bitlocker during Windows Autopilot WhiteGlove
Program Install command: install.win.ap.enable.bitlocker.during.whiteglove.cmd
Program uninstall command: install.win.ap.enable.bitlocker.during.whiteglove.cmd
Install behavior: System
Device restart behavior: No specific action
Return codes:
0 Success
1707 Success
3010 Soft reboot
1641 Hard reboot
1618 Retry
Requirements:
Operating system architecture: x64
Minimum operating system Windows 10 1903
Detection rules:
Rules format Manually configure detection rules
Detection rules File C:\Windows
assign the app as required to your WhiteGlove Computers AAD group
Step 7. Add the Group tag to a test device
In this step either import a new CSV of a Windows Autopilot device (or use an existing device) to test this on, and then add the WhiteGlove GroupTag to that Windows Autopilot device.
Step 8. Provision the device
The staging of content and policies to the device normally will take place at the factory (OEM) or IT Admin staging area. At the first screen of OOBE (shown below)
The technician needs to press the Windows key 5 times to start provisioning mode.
Next, Select Windows Autopilot provisioning from the list and click Continue.
If everything went well it will download the correct Windows Autopilot ESP and display it.
Click Provision to start the staging process.
Once the ESP installs the Win32 app, it will begin encrypting the drive. You can reveal this with the following command:
manage-bde -status
The next screenshots are from real hardware.
and once all apps and policies are installed completely and successfully the drive is fully encrypted and the protectors are stored in the TPM along with a BEK key stored on the SYSTEM partition temporarily.
At this point the technician can click on Reseal to seal the device for user enrollment (Part 2).
That ‘s it for this part, please join me in Part 2 where we’ll add the next Win32 app which will do a bunch of actions including:
- create a scheduled task to run a script when WHFB setup is completed
- remove BEK protector
- add numerical password protector
- upload the key to Intune
- restart the computer with a shutdown message to the end user
Troubleshooting
The Win32 app used in this part logs to C:\Windows\Temp\win.ap.enable.bitlocker.during.whiteglove.log
The contents of which are shown below from a working WhiteGlove deployment, please use this as a reference to compare your log file.
02/27/2023 04:33:46 Starting script: 'win.ap.enable.bitlocker.during.whiteglove' version: '0.11'... 02/27/2023 04:33:46 checking the current bitlocker encryption status 02/27/2023 04:33:47 Current Bitlocker Status: FullyDecrypted, None 02/27/2023 04:33:47 Fully decrypted, no need to decrypt 02/27/2023 04:33:47 starting TPM section 02/27/2023 04:33:48 TPM chip is currently owned, will not attempt to take ownership 02/27/2023 04:33:48 attempting to assign drive letter to the SYSTEM partition 02/27/2023 04:33:51 starting BitLocker Encryption section 02/27/2023 04:33:51 adding reg keys for BitLocker encryption settings 02/27/2023 04:33:51 succeeded adding the reg key 02/27/2023 04:33:51 adding AES-XTS256 reg key for BitLocker encryption settings 02/27/2023 04:33:51 succeeded adding the reg key 02/27/2023 04:33:51 Enabling BitLocker, TPM Protector and Recovery Password Protector 02/27/2023 04:34:10 enabling bitlocker worked YAY!!!! 02/27/2023 04:34:16 Current BL Status: C:, EncryptionInProgress, XtsAes256,Tpm ExternalKey 02/27/2023 04:34:16 Percentage Encrypted: '96'%. 02/27/2023 04:34:16 Percentage Encrypted: '96'%. 02/27/2023 04:34:16 Percentage Encrypted: '96'%. 02/27/2023 04:34:17 Percentage Encrypted: '96'%. 02/27/2023 04:34:17 Percentage Encrypted: '96'%. 02/27/2023 04:34:17 Percentage Encrypted: '96'%. 02/27/2023 04:34:17 Percentage Encrypted: '96'%. 02/27/2023 04:34:18 Percentage Encrypted: '96'%. 02/27/2023 04:34:18 Percentage Encrypted: '96'%. 02/27/2023 04:34:18 Percentage Encrypted: '96'%. 02/27/2023 04:34:18 Percentage Encrypted: '96'%. 02/27/2023 04:34:18 Percentage Encrypted: '96'%. 02/27/2023 04:34:19 Percentage Encrypted: '96'%. 02/27/2023 04:34:19 Percentage Encrypted: '96'%. 02/27/2023 04:34:19 Percentage Encrypted: '97'%. 02/27/2023 04:34:19 Percentage Encrypted: '97'%. 02/27/2023 04:34:19 Percentage Encrypted: '97'%. 02/27/2023 04:34:20 Percentage Encrypted: '97'%. 02/27/2023 04:34:20 Percentage Encrypted: '97'%. 02/27/2023 04:34:20 Percentage Encrypted: '97'%. 02/27/2023 04:34:20 Percentage Encrypted: '97'%. 02/27/2023 04:34:21 Percentage Encrypted: '97'%. 02/27/2023 04:34:21 Percentage Encrypted: '97'%. 02/27/2023 04:34:21 Percentage Encrypted: '97'%. 02/27/2023 04:34:21 Percentage Encrypted: '97'%. 02/27/2023 04:34:21 Percentage Encrypted: '97'%. 02/27/2023 04:34:22 Percentage Encrypted: '97'%. 02/27/2023 04:34:22 Percentage Encrypted: '97'%. 02/27/2023 04:34:22 Percentage Encrypted: '97'%. 02/27/2023 04:34:22 Percentage Encrypted: '97'%. 02/27/2023 04:34:22 Percentage Encrypted: '97'%. 02/27/2023 04:34:23 Percentage Encrypted: '97'%. 02/27/2023 04:34:23 Percentage Encrypted: '97'%. 02/27/2023 04:34:23 Percentage Encrypted: '97'%. 02/27/2023 04:34:23 Percentage Encrypted: '97'%. 02/27/2023 04:34:24 Percentage Encrypted: '97'%. 02/27/2023 04:34:24 Percentage Encrypted: '97'%. 02/27/2023 04:34:24 Percentage Encrypted: '97'%. 02/27/2023 04:34:24 Percentage Encrypted: '97'%. 02/27/2023 04:34:24 Percentage Encrypted: '97'%. 02/27/2023 04:34:25 Percentage Encrypted: '97'%. 02/27/2023 04:34:25 Percentage Encrypted: '97'%. 02/27/2023 04:34:25 Percentage Encrypted: '97'%. 02/27/2023 04:34:25 Percentage Encrypted: '97'%. 02/27/2023 04:34:26 Percentage Encrypted: '97'%. 02/27/2023 04:34:26 Percentage Encrypted: '97'%. 02/27/2023 04:34:26 Percentage Encrypted: '97'%. 02/27/2023 04:34:26 Percentage Encrypted: '97'%. 02/27/2023 04:34:26 Percentage Encrypted: '97'%. 02/27/2023 04:34:27 Percentage Encrypted: '97'%. 02/27/2023 04:34:27 Percentage Encrypted: '97'%. 02/27/2023 04:34:27 Percentage Encrypted: '97'%. 02/27/2023 04:34:27 Percentage Encrypted: '97'%. 02/27/2023 04:34:28 Percentage Encrypted: '97'%. 02/27/2023 04:34:28 Percentage Encrypted: '97'%. 02/27/2023 04:34:28 Percentage Encrypted: '97'%. 02/27/2023 04:34:28 Percentage Encrypted: '97'%. 02/27/2023 04:34:29 Percentage Encrypted: '97'%. 02/27/2023 04:34:29 Percentage Encrypted: '97'%. 02/27/2023 04:34:29 Percentage Encrypted: '97'%. 02/27/2023 04:34:29 Percentage Encrypted: '97'%. 02/27/2023 04:34:29 Percentage Encrypted: '97'%. 02/27/2023 04:34:30 Percentage Encrypted: '97'%. 02/27/2023 04:34:30 Percentage Encrypted: '97'%. 02/27/2023 04:34:30 Percentage Encrypted: '98'%. 02/27/2023 04:34:30 Percentage Encrypted: '98'%. 02/27/2023 04:34:31 Percentage Encrypted: '98'%. 02/27/2023 04:34:31 Percentage Encrypted: '98'%. 02/27/2023 04:34:31 Percentage Encrypted: '98'%. 02/27/2023 04:34:31 Percentage Encrypted: '98'%. 02/27/2023 04:34:31 Percentage Encrypted: '98'%. 02/27/2023 04:34:32 Percentage Encrypted: '98'%. 02/27/2023 04:34:32 Percentage Encrypted: '98'%. 02/27/2023 04:34:32 Percentage Encrypted: '98'%. 02/27/2023 04:34:32 Percentage Encrypted: '98'%. 02/27/2023 04:34:33 Percentage Encrypted: '98'%. 02/27/2023 04:34:33 Percentage Encrypted: '98'%. 02/27/2023 04:34:33 Percentage Encrypted: '98'%. 02/27/2023 04:34:33 Percentage Encrypted: '98'%. 02/27/2023 04:34:34 Percentage Encrypted: '98'%. 02/27/2023 04:34:34 Percentage Encrypted: '98'%. 02/27/2023 04:34:34 Percentage Encrypted: '98'%. 02/27/2023 04:34:34 Percentage Encrypted: '98'%. 02/27/2023 04:34:35 Percentage Encrypted: '98'%. 02/27/2023 04:34:35 Percentage Encrypted: '98'%. 02/27/2023 04:34:35 Percentage Encrypted: '98'%. 02/27/2023 04:34:35 Percentage Encrypted: '98'%. 02/27/2023 04:34:35 Percentage Encrypted: '98'%. 02/27/2023 04:34:36 Percentage Encrypted: '98'%. 02/27/2023 04:34:36 Percentage Encrypted: '98'%. 02/27/2023 04:34:36 Percentage Encrypted: '98'%. 02/27/2023 04:34:36 Percentage Encrypted: '98'%. 02/27/2023 04:34:36 Percentage Encrypted: '98'%. 02/27/2023 04:34:37 Percentage Encrypted: '98'%. 02/27/2023 04:34:37 Percentage Encrypted: '98'%. 02/27/2023 04:34:37 Percentage Encrypted: '98'%. 02/27/2023 04:34:37 Percentage Encrypted: '98'%. 02/27/2023 04:34:38 Percentage Encrypted: '98'%. 02/27/2023 04:34:38 Percentage Encrypted: '98'%. 02/27/2023 04:34:38 Percentage Encrypted: '98'%. 02/27/2023 04:34:38 Percentage Encrypted: '98'%. 02/27/2023 04:34:39 Percentage Encrypted: '98'%. 02/27/2023 04:34:39 Percentage Encrypted: '98'%. 02/27/2023 04:34:39 Percentage Encrypted: '98'%. 02/27/2023 04:34:39 Percentage Encrypted: '98'%. 02/27/2023 04:34:39 Percentage Encrypted: '98'%. 02/27/2023 04:34:40 Percentage Encrypted: '98'%. 02/27/2023 04:34:40 Percentage Encrypted: '98'%. 02/27/2023 04:34:40 Percentage Encrypted: '98'%. 02/27/2023 04:34:40 Percentage Encrypted: '98'%. 02/27/2023 04:34:40 Percentage Encrypted: '98'%. 02/27/2023 04:34:41 Percentage Encrypted: '98'%. 02/27/2023 04:34:41 Percentage Encrypted: '98'%. 02/27/2023 04:34:41 Percentage Encrypted: '98'%. 02/27/2023 04:34:41 Percentage Encrypted: '98'%. 02/27/2023 04:34:41 Percentage Encrypted: '98'%. 02/27/2023 04:34:42 Percentage Encrypted: '98'%. 02/27/2023 04:34:42 Percentage Encrypted: '99'%. 02/27/2023 04:34:42 Percentage Encrypted: '99'%. 02/27/2023 04:34:42 Percentage Encrypted: '99'%. 02/27/2023 04:34:42 Percentage Encrypted: '99'%. 02/27/2023 04:34:43 Percentage Encrypted: '99'%. 02/27/2023 04:34:43 Percentage Encrypted: '99'%. 02/27/2023 04:34:43 Percentage Encrypted: '99'%. 02/27/2023 04:34:43 Percentage Encrypted: '99'%. 02/27/2023 04:34:44 Percentage Encrypted: '99'%. 02/27/2023 04:34:44 Percentage Encrypted: '99'%. 02/27/2023 04:34:44 Percentage Encrypted: '99'%. 02/27/2023 04:34:44 Percentage Encrypted: '99'%. 02/27/2023 04:34:44 Percentage Encrypted: '99'%. 02/27/2023 04:34:45 Percentage Encrypted: '99'%. 02/27/2023 04:34:45 Percentage Encrypted: '99'%. 02/27/2023 04:34:45 Percentage Encrypted: '99'%. 02/27/2023 04:34:45 Percentage Encrypted: '99'%. 02/27/2023 04:34:45 Percentage Encrypted: '99'%. 02/27/2023 04:34:46 Percentage Encrypted: '99'%. 02/27/2023 04:34:46 Percentage Encrypted: '99'%. 02/27/2023 04:34:46 Percentage Encrypted: '99'%. 02/27/2023 04:34:46 Percentage Encrypted: '99'%. 02/27/2023 04:34:46 Percentage Encrypted: '99'%. 02/27/2023 04:34:47 Percentage Encrypted: '99'%. 02/27/2023 04:34:47 Percentage Encrypted: '99'%. 02/27/2023 04:34:47 Percentage Encrypted: '99'%. 02/27/2023 04:34:47 Percentage Encrypted: '99'%. 02/27/2023 04:34:48 Percentage Encrypted: '99'%. 02/27/2023 04:34:48 Percentage Encrypted: '99'%. 02/27/2023 04:34:48 Percentage Encrypted: '99'%. 02/27/2023 04:34:48 Percentage Encrypted: '99'%. 02/27/2023 04:34:48 Percentage Encrypted: '99'%. 02/27/2023 04:34:49 Percentage Encrypted: '99'%. 02/27/2023 04:34:49 Percentage Encrypted: '99'%. 02/27/2023 04:34:49 Percentage Encrypted: '99'%. 02/27/2023 04:34:49 Percentage Encrypted: '99'%. 02/27/2023 04:34:49 Percentage Encrypted: '99'%. 02/27/2023 04:34:50 Percentage Encrypted: '99'%. 02/27/2023 04:34:50 Percentage Encrypted: '99'%. 02/27/2023 04:34:50 Percentage Encrypted: '99'%. 02/27/2023 04:34:50 Percentage Encrypted: '99'%. 02/27/2023 04:34:51 Percentage Encrypted: '99'%. 02/27/2023 04:34:51 Percentage Encrypted: '99'%. 02/27/2023 04:34:51 Percentage Encrypted: '99'%. 02/27/2023 04:34:51 Percentage Encrypted: '99'%. 02/27/2023 04:34:51 Percentage Encrypted: '99'%. 02/27/2023 04:34:52 Percentage Encrypted: '99'%. 02/27/2023 04:34:52 Percentage Encrypted: '99'%. 02/27/2023 04:34:52 Percentage Encrypted: '99'%. 02/27/2023 04:34:52 Percentage Encrypted: '99'%. 02/27/2023 04:34:52 Percentage Encrypted: '99'%. 02/27/2023 04:34:53 Percentage Encrypted: '99'%. 02/27/2023 04:34:53 Percentage Encrypted: '99'%. 02/27/2023 04:34:53 Percentage Encrypted: '99'%. 02/27/2023 04:34:53 Percentage Encrypted: '99'%. 02/27/2023 04:34:54 Percentage Encrypted: '99'%. 02/27/2023 04:34:54 Percentage Encrypted: '99'%. 02/27/2023 04:34:54 Percentage Encrypted: '99'%. 02/27/2023 04:34:54 Percentage Encrypted: '99'%. 02/27/2023 04:34:54 Percentage Encrypted: '99'%. 02/27/2023 04:34:55 Percentage Encrypted: '99'%. 02/27/2023 04:34:55 Percentage Encrypted: '99'%. 02/27/2023 04:34:55 Percentage Encrypted: '99'%. 02/27/2023 04:34:55 Percentage Encrypted: '99'%. 02/27/2023 04:34:55 Percentage Encrypted: '99'%. 02/27/2023 04:34:56 Percentage Encrypted: '99'%. 02/27/2023 04:34:56 Percentage Encrypted: '99'%. 02/27/2023 04:34:56 Percentage Encrypted: '99'%. 02/27/2023 04:34:56 Percentage Encrypted: '99'%. 02/27/2023 04:34:56 Percentage Encrypted: '99'%. 02/27/2023 04:34:57 Percentage Encrypted: '99'%. 02/27/2023 04:34:57 Percentage Encrypted: '99'%. 02/27/2023 04:34:57 Percentage Encrypted: '99'%. 02/27/2023 04:34:57 Percentage Encrypted: '99'%. 02/27/2023 04:34:57 Percentage Encrypted: '99'%. 02/27/2023 04:34:58 Percentage Encrypted: '99'%. 02/27/2023 04:34:58 Percentage Encrypted: '99'%. 02/27/2023 04:34:58 Percentage Encrypted: '99'%. 02/27/2023 04:34:58 Percentage Encrypted: '99'%. 02/27/2023 04:34:59 Percentage Encrypted: '99'%. 02/27/2023 04:34:59 Percentage Encrypted: '99'%. 02/27/2023 04:34:59 Percentage Encrypted: '99'%. 02/27/2023 04:34:59 Percentage Encrypted: '99'%. 02/27/2023 04:34:59 Percentage Encrypted: '99'%. 02/27/2023 04:35:00 Percentage Encrypted: '99'%. 02/27/2023 04:35:00 Percentage Encrypted: '99'%. 02/27/2023 04:35:00 Percentage Encrypted: '99'%. 02/27/2023 04:35:00 Percentage Encrypted: '99'%. 02/27/2023 04:35:01 Percentage Encrypted: '99'%. 02/27/2023 04:35:01 Percentage Encrypted: '99'%. 02/27/2023 04:35:01 Percentage Encrypted: '99'%. 02/27/2023 04:35:01 Percentage Encrypted: '99'%. 02/27/2023 04:35:01 Percentage Encrypted: '99'%. 02/27/2023 04:35:02 Percentage Encrypted: '99'%. 02/27/2023 04:35:02 Percentage Encrypted: '99'%. 02/27/2023 04:35:02 Percentage Encrypted: '99'%. 02/27/2023 04:35:02 Percentage Encrypted: '99'%. 02/27/2023 04:35:03 Percentage Encrypted: '99'%. 02/27/2023 04:35:03 Percentage Encrypted: '99'%. 02/27/2023 04:35:03 Percentage Encrypted: '100'%. 02/27/2023 04:35:03 Current BL Status: C:, FullyEncrypted, XtsAes256,Tpm ExternalKey 02/27/2023 04:35:03 removing drive letter assigned to the SYSTEM partition now... 02/27/2023 04:35:04 The drive is fully encrypted now :-), we are exiting the script !
Once encryption during WhiteGlove is completed a reg key is created (and we look for that later)
Recommended reading
Windows Autopilot for pre-provisioned deployment (Public preview) – https://learn.microsoft.com/en-us/mem/autopilot/pre-provision
Hi Niall,
I like your article but i see that the link for Win32App source files is not working anymore.
Could you please fix that or share the script via e-mail?
Thanks!
hi
the updated apps (I updated the code recently) are available here https://www.windows-noob.com/forums/topic/23198-encrypting-devices-during-windows-autopilot-provisioning-whiteglove-part-1/
you just need to login to the site to download them
cheers
niall